(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It injects codes into the following process(es):

explorer.exe

Process Termination

This spyware terminates the following processes if found running in the affected system's memory:

V3LTray.exe

V3LSvc.exe

V3Light.exe

V3LRun.exe

Dropping Routine

This spyware drops the following files wherein it saves the information it gathers:

d3d8d{number}.ini

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120547.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120546.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120545.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120544.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120543.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120542.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120541.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120540.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120539.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120538.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120537.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120536.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120535.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120534.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120533.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120532.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120531.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120530.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120529.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120528.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120527.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120526.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120525.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120524.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120523.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120522.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120521.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120520.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120519.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120518.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120516.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120515.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120514.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120513.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120512.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120511.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120510.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120509.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120508.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120507.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120506.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120505.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120504.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120503.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120502.gif

http://www.{blocked}r.{blocked}o.kr/bbs2/data/event/120501.gif

Trend Micro detects the dowloaded file as:

BKDR_TENPEQ.SM

Information Theft

This spyware steals sensitive information such as user names and passwords related to the following games:

DKonline.exe

DuelPoker.exe

PMClient.exe

NMWizard24.exe

heroes.exe

Poker.exe

HgSel.exe

NGM.exe

ArcheAge.exe

fifazf.exe

client.exe

KRITIKA_Client.exe

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

www.{BLOCKED}la.com/up/otp.asp

Other Details

This spyware requires its main component to successfully perform its intended routine.

SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

10.180.04

FIRST VSAPI PATTERN DATE:

25 Jul 2013

VSAPI OPR PATTERN File:

10.181.00

VSAPI OPR PATTERN Date:

28 Jul 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%Windows%\setupball.bmp

%Windows%\version.dat

%Windows%\wintmp.dat

%Windows%\winurl.dat

d3d8d{number}.ini

To delete malware/grayware files:

Search for the following files:

%Windows%\setupball.bmp

%Windows%\version.dat

%Windows%\wintmp.dat

%Windows%\winurl.dat

d3d8d{number}.ini

Note: To do a search for the following files, right-click Start then click Search... or Find..., depending on the version of Windows you are running. For each file to be deleted, type its file name in the Named input box. In the Look In drop-down list, select My Computer, then press Enter.

Once located, select the file then press SHIFT+DELETE to permanently delete the file.

Repeat the said steps for all files listed.

Step 6

Scan your computer with your Trend Micro product to delete files detected as TSPY_ONLINEG.OMU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.